Home » Troubleshooting AD sync issues

Permissions for Endpoint Central macOS agent via MDM

This article describes the steps to configure permissions for macOSlevel that required each 3rd party vendor's System extension to be approved. This required Team ID to be allowed, also known as the Apple Developer ID.

  • With macOS 10.14, Apple added a new default behavior that prevented applications from accessing the disk, remote control, etc
  • With macOS 13, Apple added a option in System settings to disable background process

Table of contents

  1. Granting Permissions
  2. Whitelisting System Extensions
  3. Background Service/Login Item Management

In case, ManageEngine MDM is used, Below mentioned Permission will be deployed to macOS machines Automatically. Follow below steps if Other MDM Vendor is used.

Granting Permissions

Permissions can be provided through MDM Privacy Preferences Policy Control (PPPC) profile. Permissions that will be granted are Full disk access, Accessibility, and Screen capture.

Below contains details required for PPPC Profile:

1. Protector System Extension - Process that monitors the Agent folder and processes and prevents Users from modifying files and interrupting process

Identifiercom.manageengine.protectord
Code sign requirementanchor apple generic and identifier "com.manageengine.protectord" and certificate leaf[subject.OU] = TZ824L8Y37
Static code validationNo
Allowed PermissionsSystem Policy All Files
Other PermissionsUser controlled

2. Agent service - Process that performs all agent tasks

Identifierdcagentservice
Code sign requirementidentifier dcagentservice and anchor apple generic and certificate leaf[subject.OU] = TZ824L8Y37
Static code validationNo
Allowed PermissionsSystem Policy All Files
Other PermissionsUser controlled

Apps for Apple Events

#IdentifierCode Requirement
1com.apple.systemeventsidentifier "com.apple.systemevents" and anchor apple
2com.apple.systemuiserveridentifier "com.apple.systemuiserver" and anchor apple
3com.apple.finderidentifier "com.apple.finder" and anchor apple
4com.apple.installeridentifier "com.apple.installer" and anchor apple

3. Remote Access - Process responsible for taking remote control

Identifiercom.zoho.assist.ManageEngineRemoteAccess
Code sign requirementidentifier "com.zoho.assist.ManageEngineRemoteAccess" and anchor apple generic and certificate leaf[subject.OU] = TZ824L8Y37
Static code validationNo
Allowed PermissionsAccessibility, screen capture
Other PermissionsUser controlled

If the above steps is not helpful, kindly follow steps in this link for providing permission for Remote access.

4. Application Control System Extension - Process that monitors and Controls Other Process based on Application Control policy

Identifiercom.manageengine.protectord
Code sign requirementanchor apple generic and identifier "com.manageengine.appctrl.driver" and certificate leaf[subject.OU] = TZ824L8Y37
Static code validationNo
Allowed PermissionsSystem Policy All Files
Other PermissionsUser controlled

Whitelisting System Extensions

System Extensions can be allowed through MDM System Extension profile.

Below contains details required for System extension Profile:

1. Protector System extension

Team IdentifierTZ824L8Y37
Allowed Extension CategoriesSecurity extensions
Extension bundle identifier(s)com.manageengine.protectord

2. Application Control System Extension

Team IdentifierTZ824L8Y37
Allowed Extension CategoriesSecurity extensions
Extension bundle identifier(s)com.manageengine.appctrl.driver

Background Service / login item management

Admins can restrict users from disabling the apps running background items on the macOS machine. Team Identifier of the app to be restricted from disabling = TZ824L8Y37

Trusted by